Microsoft has provided more details about a recently patched critical zero-day attack on Adobe’s Acrobat Reader that could be combined with a less severe zero-day exploit against the Windows kernel to hack Windows 7 machines.

The pair of related exploits were the source of a conflict in advisories posted by Microsoft and Adobe that each disclosed in May after investigating a malicious PDF document in March that was uploaded to Alphabet-owned VirusTotal.

Adobe initially said there were no exploits in the wild for the Acrobat flaws it patched in May, but changed its advisory shortly after when Microsoft said someone other than it had an exploit for the related flaw in the Windows kernel.

The flaw in Adobe and Microsoft software was discovered by ESET researcher Anton Cherepanov who said he found a “rare case” when an attacker was able to exploit Reader and Windows in order to bypass the Adobe Reader sandbox. Usually bypassing the Reader sandbox requires exploiting a bug in the operating system, but this one required combining a remote code execution flaw in Reader and then escalating privileges in Windows.

Windows 7 and Windows Server 2008 systems not patched today are still vulnerable and Microsoft would like users to know that if they had updated to Windows 10 they would not be vulnerable, even without the patch.

The consequences could be bad too for those on older systems, it says. If an attacker exploited the flaw, they could run their own malware in kernel mode, allowing them to gain control by installing their own programs, modifying data, or creating new accounts with full user rights.

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory,” wrote Microsoft Windows Defender Research team.

Microsoft also revealed a few more details about the Windows elevation of privilege that could exploit Windows 7 machines not patched against CVE-2018-8120.

The attack used so-called “reflective” Dynamic-Link Library (DLL) loading, which loads a DLL into memory without being linked to a process in the name of avoiding detection. The attack takes effort because the attacker needs to develop their own custom loader.

Therefore it’s likely only nation-state hackers or anyone else with significant resources could do this. Microsoft took steps to detect it in Windows 10 through Windows Defender ATP. As Microsoft explained in late 2017: “Reflective DLL loading isn’t trivial—it requires writing the DLL into memory and then resolving its imports and/or relocating it. To reflectively load DLLs, one needs to author one’s own custom loader.”

Microsoft also offered details about how the attack would gain persistence on vulnerable Windows 7 machines.

The message Microsoft is conveying is that everyone should upgrade to Windows 10. Windows 7 Service Pack 1 extended support, where it receives only security updates, expires on January 14, 2020.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.